<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><span>Hi,</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><span><br></span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><span>This is very interesting..:)</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><span>I am using openstack grizzly allinone with quantum/neutron.</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0,
0); background-color: transparent; font-style: normal;"><span><br></span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><span>Look what I am observing. </span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><span style="font-weight: bold;">-before starting an instance on the server</span></div><div style="background-color: transparent;">root@ubuntu1204:~# iptables-save -t filter</div><div style="background-color: transparent;"># Generated by iptables-save v1.4.12 on Tue Jul 23 20:22:55 2013</div><div style="background-color: transparent;">*filter</div><div style="background-color: transparent;">:INPUT ACCEPT [62981:17142030]</div><div style="background-color: transparent;">:FORWARD ACCEPT [0:0]</div><div
style="background-color: transparent;">:OUTPUT ACCEPT [62806:17138989]</div><div style="background-color: transparent;">:nova-api-FORWARD - [0:0]</div><div style="background-color: transparent;">:nova-api-INPUT - [0:0]</div><div style="background-color: transparent;">:nova-api-OUTPUT - [0:0]</div><div style="background-color: transparent;">:nova-api-local - [0:0]</div><div style="background-color: transparent;">:nova-filter-top - [0:0]</div><div style="background-color: transparent;">-A INPUT -j nova-api-INPUT</div><div style="background-color: transparent;">-A INPUT -p gre -j ACCEPT</div><div style="background-color: transparent;">-A FORWARD -j nova-filter-top</div><div style="background-color: transparent;">-A FORWARD -j nova-api-FORWARD</div><div style="background-color: transparent;">-A OUTPUT -j nova-filter-top</div><div style="background-color: transparent;">-A OUTPUT -j nova-api-OUTPUT</div><div style="background-color: transparent;">-A
nova-api-INPUT -d 10.200.10.10/32 -p tcp -m tcp --dport 8775 -j ACCEPT</div><div style="background-color: transparent;">-A nova-filter-top -j nova-api-local</div><div style="background-color: transparent;">COMMIT</div><div style="background-color: transparent;"># Completed on Tue Jul 23 20:22:55 2013</div><div style="background-color: transparent;">root@ubuntu1204:~# </div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><span style="font-weight: bold;">-after starting an instance on the host</span></div><div><div>root@ubuntu1204:~# iptables-save -t filter</div><div># Generated by iptables-save v1.4.12 on Tue Jul 23 20:24:42 2013</div><div>*filter</div><div>:INPUT ACCEPT [90680:24989889]</div><div>:FORWARD ACCEPT [0:0]</div><div>:OUTPUT ACCEPT [90482:24984752]</div><div>:nova-api-FORWARD -
[0:0]</div><div>:nova-api-INPUT - [0:0]</div><div>:nova-api-OUTPUT - [0:0]</div><div>:nova-api-local - [0:0]</div><div>:nova-compute-FORWARD - [0:0]</div><div>:nova-compute-INPUT - [0:0]</div><div>:nova-compute-OUTPUT - [0:0]</div><div>:nova-compute-inst-35 - [0:0]</div><div>:nova-compute-local - [0:0]</div><div>:nova-compute-provider - [0:0]</div><div>:nova-compute-sg-fallback - [0:0]</div><div>:nova-filter-top - [0:0]</div><div>-A INPUT -j nova-compute-INPUT</div><div>-A INPUT -j nova-api-INPUT</div><div>-A INPUT -p gre -j ACCEPT</div><div>-A FORWARD -j nova-filter-top</div><div>-A FORWARD -j nova-compute-FORWARD</div><div>-A FORWARD -j nova-api-FORWARD</div><div>-A OUTPUT -j nova-filter-top</div><div>-A OUTPUT -j nova-compute-OUTPUT</div><div>-A OUTPUT -j nova-api-OUTPUT</div><div>-A nova-api-INPUT -d 10.200.10.10/32 -p tcp -m tcp --dport 8775 -j ACCEPT</div><div>-A nova-compute-FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68
--dport 67 -j ACCEPT</div><div><span style="font-weight: bold;">-A nova-compute-INPUT -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT</span></div><div>-A nova-compute-inst-35 -m state --state INVALID -j DROP</div><div>-A nova-compute-inst-35 -m state --state RELATED,ESTABLISHED -j ACCEPT</div><div>-A nova-compute-inst-35 -j nova-compute-provider</div><div>-A nova-compute-inst-35 -s 172.24.17.2/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT</div><div>-A nova-compute-inst-35 -s 172.24.17.0/24 -j ACCEPT</div><div>-A nova-compute-inst-35 -p tcp -m tcp --dport 22 -j ACCEPT</div><div>-A nova-compute-inst-35 -p icmp -j ACCEPT</div><div>-A nova-compute-inst-35 -j nova-compute-sg-fallback</div><div>-A nova-compute-local -d 172.24.17.1/32 -j nova-compute-inst-35</div><div>-A nova-compute-sg-fallback -j DROP</div><div>-A nova-filter-top -j nova-compute-local</div><div>-A nova-filter-top -j
nova-api-local</div><div>COMMIT</div><div># Completed on Tue Jul 23 20:24:42 2013</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">It seams that the rule that accepts dhcp packets is created once an instance is spawned.</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">I will try the same thing on an centos64.</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">Regards,</div><div style="font-family: 'times new roman', 'new york', times, serif;
font-size: 12pt;">Gabriel</div></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 16px; color: rgb(0, 0, 0); background-color: transparent; font-style: normal;"><br></div> <div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"> <div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"> <div dir="ltr"> <hr size="1"> <font size="2" face="Arial"> <b><span style="font-weight:bold;">From:</span></b> David Kang <dkang@isi.edu><br> <b><span style="font-weight: bold;">To:</span></b> Staicu Gabriel <gabriel_staicu@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "openstack@lists.launchpad.net (openstack@lists.launchpad.net)" <openstack@lists.launchpad.net> <br> <b><span style="font-weight: bold;">Sent:</span></b> Tuesday, July 23, 2013 7:59 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Openstack]
[Quantum/Neutron] VM cannot get IP address from
DHCP server<br> </font> </div> <div class="y_msg_container"><br><br> Thank you for your suggestion.<br><br> We are using Quantum/Neutron not nova-network.<br>So, we don't use br100.<br>(I believe you are using nova-network.)<br><br> And the firewall rules that cause problem reside on the Quantum node<br>not on the nova-compute node.<br>I cannot find any rule for "--dport 67" on my Quantum node.<br>I used "service iptables status" command to check the firewall rules.<br><br> Thanks,<br> David<br><br><br>----- Original Message -----<br>> Hi,<br>> <br>> Please can you look up in the iptables?<br>> Normally on a working openstack host the packets comming in the filter<br>> table in the input chain are directed to the nova-network-INPUT which<br>> has a rule to accept dhcp packets.<br>> On my setup is something like:<br>> -A INPUT -j nova-network-INPUT<br>> <br>> .<br>> .<br>> .<br>> -A nova-network-INPUT -i br100 -p
udp -m udp --dport 67 -j ACCEPT<br>> <br>> <br>> So I think you have to look somewhere else for your issue.<br>> <br>> <br>> Regards,<br>> Gabriel<br>> <br>> <br>> <br>> <br>> <br>> <br>> From: David Kang <<a ymailto="mailto:dkang@isi.edu" href="mailto:dkang@isi.edu">dkang@isi.edu</a>><br>> To: "<a ymailto="mailto:openstack@lists.launchpad.net" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a> (<a ymailto="mailto:openstack@lists.launchpad.net" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>)"<br>> <<a ymailto="mailto:openstack@lists.launchpad.net" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>><br>> Sent: Tuesday, July 23, 2013 7:22 PM<br>> Subject: [Openstack] [Quantum/Neutron] VM cannot get IP address from<br>> DHCP server<br>> <br>> <br>> <br>> Hi,<br>> <br>> We are running
OpenStack Folsom on CentOS 6.4.<br>> Quantum-linuxbridge-agent is used.<br>> By default, the Quantum node has the following entries in its<br>> /etc/sysconfig/iptables file.<br>> <br>> -A INPUT -j REJECT --reject-with icmp-host-prohibited<br>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited<br>> <br>> With those two lines, VM cannot get IP address from the DHCP server<br>> running on the Quantum node.<br>> More specifically, the first line prevents a VM from getting IP<br>> address from DHCP server.<br>> The second line prevents a VM from talking to other VMs and external<br>> worlds.<br>> Is there a better way to make the Quantum network work well<br>> than just commenting them out?<br>> <br>> I'll appreciate your help.<br>> <br>> David<br>> <br>> --<br>> ----------------------<br>> Dr. Dong-In "David" Kang<br>> Computer Scientist<br>> USC/ISI<br>> <br>>
_______________________________________________<br>> Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>> Post to : <a ymailto="mailto:openstack@lists.launchpad.net" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>> Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>> More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br><br>-- <br>----------------------<br>Dr. Dong-In "David" Kang<br>Computer Scientist<br>USC/ISI<br><br><br></div> </div> </div> </div></body></html>